Mandatory Legal Systems for Compliance in Türkiye – Part I: Understanding VERBİS

Introduction

Foreign entities processing personal data of individuals in Türkiye are legally required to comply with the Data Controllers’ Registry Information System (“VERBİS”), established under the Law No. 6698 on the Personal Data Protection Law (“PDPL”).

VERBİS is a mandatory public registry where data controllers must disclose key aspects of their data processing activities. Non-compliance may result in substantial administrative fines and reputational harm.

This article is Part I of a two-part series and provides a detailed overview of VERBİS, including its legal basis, scope, registration requirements, and sanctions. Part II will focus on compliance strategies for foreign entities.

Türkiye’s Data Protection Framework

In line with global data protection standards such as the Europe’s General Data Protection Regulation (“GDPR”), Türkiye enacted PDPL to ensure lawful, fair, and transparent processing of personal data. A central mechanism of enforcement under PDPL is VERBİS.

VERBİS is operated by the Personal Data Protection Authority (“Authority”) and requires all data controllers—including foreign entities—to register and publicly declare their data processing operations before engaging with Turkish data subjects.

Legal Basis:

• Primary Law: Law No. 6698 on the Protection of Personal Data
• Enforcement Authority: Personal Data Protection Authority
• Registry Platform: VERBİS – Data Controllers’ Registry Information System

Established under Article 16 of PDPL, VERBİS promotes accountability and transparency by mandating that controllers disclose and update the scope of their data processing activities.

Applicability to Foreign Entities

Foreign legal entities are subject to VERBİS obligations if they:

• Process the personal data of individuals located in Türkiye and
• Determine the purposes and means of processing, regardless of whether they maintain a physical presence in Türkiye.

Foreign controllers must:

• Register with VERBİS before initiating any data processing involving Turkish individuals; and
• Appoint a local representative (a natural or legal person) domiciled in Türkiye, who serves as the formal liaison with the Authority.

Required Disclosures During Registration

Data controllers must submit a detailed declaration via VERBİS, which includes the following key components:

• Categories of Personal Data Processed: e.g., identity, contact, financial, biometric, health, etc.
• Categories of Data Subjects: e.g., customers, employees, vendors, website users.
• Purposes of Processing: e.g., contract performance, marketing, HR management.
• Legal Bases for Processing: e.g., explicit consent, legal obligation, legitimate interest.
• Recipient Groups: e.g., affiliates, service providers, public institutions.
• Cross-Border Transfers: if data is transferred abroad, the destination countries must be specified.
• Data Retention Periods: maximum duration data will be kept for each category.
• Technical and Administrative Measures: details of how personal data is protected (see below).

Note: VERBİS provides predefined options for each of the above categories, but organizations may also manually enter specific practices and measures they implement, allowing for a more accurate and tailored representation of internal processes.

Technical and Administrative Measures

Under PDPL, data controllers must adopt appropriate technical and administrative measures to safeguard personal data. These measures must be declared in the VERBİS system.

A. Technical Measures

• Access Controls: Role-based user access, authorization layers.
• Encryption: For both stored and transmitted data.
• Firewalls & Intrusion Detection Systems: Network-level protections.
• Secure Data Storage: Physical and cloud-based storage safeguards.
• Backup & Recovery Systems: Regular backups and disaster recovery protocols.
• Antivirus & Anti-Malware: Endpoint protection against external threats.
• Audit Logs: System activity monitoring and traceability.
• Secure Deletion: Data wiping or physical destruction when no longer needed.

B. Administrative Measures

• Internal Data Protection Policies: Governing how data is handled and by whom.
• Employee Training Programs: Regular awareness training on PDPL obligations.
• Data Inventory and Classification: Mapping processing activities and data types.
• Appointment of Responsible Personnel: Data protection coordinators or privacy leads.
• Third-Party Compliance Management: Contracts with processors and vendors.
• Incident Response Plans: Clear procedures for managing data breaches.
• Regular Policy Reviews: Periodic reassessments of data governance structures.

In VERBİS, organizations may select from a list of standard safeguards and/or add custom technical or administrative measures that better reflect their unique risk profile and operational complexity.

Local Representative Requirement vs. GDPR’s DPO

A key compliance distinction foreign organization should understand is the difference between Türkiye’s local representative obligation and the Europe’s Data Protection Officer (DPO) requirement under GDPR:

Sanctions for Non-Compliance

Under PDPL Article 18, administrative sanctions for non-compliance with VERBİS obligations include:

Fines ranging from TRY 272,380 to TRY 13,620,402 for failure to register in VERBİS.

Repeat offenses and intentional violations may result in aggravated penalties and enforcement measures, including bans on processing.

Conclusion

VERBİS is a cornerstone of Türkiye’s personal data protection regime and a mandatory requirement for foreign entities. Successful registration requires detailed transparency into an organization’s data handling, security practices, and legal compliance efforts. Organizations should approach VERBİS as more than a regulatory obligation—it is a signal of accountability and a strategic tool for building trust with Turkish consumers and regulators.

In Part II of this series, we will explore how foreign entities can effectively operationalize these requirements, from readiness assessments and internal audits to documentation, consent management, and legal coordination.